Skip to content

fix(deps): bump form-data to patched 2.5.6/3.0.5/4.0.6#37

Open
clarion-by-cantina[bot] wants to merge 1 commit into
mainfrom
fix/dependabot-form-data-patched
Open

fix(deps): bump form-data to patched 2.5.6/3.0.5/4.0.6#37
clarion-by-cantina[bot] wants to merge 1 commit into
mainfrom
fix/dependabot-form-data-patched

Conversation

@clarion-by-cantina

@clarion-by-cantina clarion-by-cantina Bot commented Jun 19, 2026

Copy link
Copy Markdown

Summary

Bumps form-data to patched versions to address a CRLF injection vulnerability (GHSA-hmw2-7cc7-3qxx / CVE-2026-12143, CWE-93).

form-data is a transitive runtime dependency (pulled in via axios, graphql-request, @types/node-fetch, request, and @pinata/sdk). Five vulnerable instances were installed across the 2.x / 3.x / 4.x lines. This PR adds scoped npm overrides to bring each instance to the first patched release within its own major line, avoiding breaking API changes for the consuming packages.

Severity note: GitHub/CVSS rates this high (7.5), but the advisory is explicitly conditional — it is only exploitable when an application passes untrusted input as a multipart field name or filename. routing-api never imports form-data directly and never constructs multipart bodies from untrusted input (outbound calls use JSON). Real-world exposure for this service is therefore low. This bump is applied as dependency hygiene to clear the finding.

Vulnerability

  • Advisory: form-data: CRLF injection via unescaped multipart field names and filenames
  • GHSA: GHSA-hmw2-7cc7-3qxx · CVE: CVE-2026-12143 · CWE: CWE-93
  • Affected ranges / patched: < 2.5.62.5.6, >= 3.0.0 < 3.0.53.0.5, >= 4.0.0 < 4.0.64.0.6

Changes

  • package.json — added scoped overrides for form-data (per major line).
  • package-lock.json — regenerated; all form-data instances now resolve to patched versions:
    • 2.5.12.5.6 (top-level / request / @pinata/sdk)
    • 3.0.13.0.5 (graphql-request)
    • 4.0.04.0.6 (axios / @types/node-fetch)

Validation

  • npm ci succeeds (lockfile in sync).
  • prettier --check passes on the changed files (package.json, package-lock.json).
  • yarn.lock intentionally left unchanged — CI installs via npm ci; npm overrides are not consumed by yarn.

Notes

  • No source code changes required; no breaking changes within the pinned major lines.
  • Pre-existing CI failure (unrelated to this change): the Prettier check reports 17 formatting errors, all in source files this PR does not touch (lib/**/*.ts, tsconfig.json). These formatting issues exist on main independently of this dependency bump and are out of scope here. The Run linters job and all Wiz scanners pass.

View in Clarion

Automated remediation by Clarion.

Resolve GHSA-hmw2-7cc7-3qxx (CVE-2026-12143) CRLF injection in form-data.
Add scoped npm overrides to bump all transitive form-data instances to the
first patched release within their major line.
@clarion-by-cantina clarion-by-cantina Bot marked this pull request as ready for review June 19, 2026 20:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants